Skip to content
Threat Feed
critical advisory

SiYuan Unauthenticated Admin API Access via Chrome Extension Allowlist

A critical vulnerability (CVE-2026-54069) in SiYuan Note kernel's HTTP server allows any Chrome/Chromium browser extension to gain unauthenticated RoleAdministrator access, enabling data exfiltration, stored XSS injection, and configuration tampering for SiYuan desktop users, including via compromised legitimate extensions.

A critical vulnerability (CVE-2026-54069) has been identified in SiYuan Note's kernel HTTP server (versions <= v3.6.5). The server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. This oversight, combined with an empty default AccessAuthCode on desktop installations, means any Chrome or Chromium extension, including those with minimal permissions or a legitimately compromised one, can make fully authenticated admin API calls to the SiYuan kernel running on 127.0.0.1:6806. This allows attackers to exfiltrate sensitive workspace data, inject persistent cross-site scripting (XSS) payloads into notes, and tamper with SiYuan's configuration, potentially leading to further compromise or data loss. The vulnerability acts as a privilege escalation and an initial access vector into the SiYuan application for malicious extensions.

Attack Chain

  1. A user installs a malicious or compromised Chrome/Chromium browser extension. The extension requires no special host_permissions as the SiYuan kernel is accessible via localhost.
  2. The browser extension, executing its bg.js background script, initiates HTTP POST requests to the SiYuan kernel's API endpoint, typically http://127.0.0.1:6806.
  3. The SiYuan kernel's CheckAuth middleware identifies the Origin header as chrome-extension:// and unconditionally bypasses authentication.
  4. The SiYuan kernel assigns RoleAdministrator to the incoming request, effectively granting full administrative control to the extension.
  5. The malicious extension makes API calls such as /api/system/getConf to verify its administrative access.
  6. The extension then exploits its administrative access to perform actions like data exfiltration using /api/query/sql to extract the entire workspace or inject stored XSS payloads into notes via /api/block/insertBlock.
  7. Further impact can include configuration tampering via /api/system/setConf, potentially leading to persistence or expanded attack surface.
  8. The attacker achieves data exfiltration, persistent code execution via XSS, or other destructive actions within the SiYuan application.

Impact

The vulnerability (CVE-2026-54069) allows for full administrative control over the SiYuan Note kernel by any installed Chrome/Chromium extension. Successful exploitation enables unauthenticated data exfiltration of the entire workspace, including sensitive notes and documents, through APIs like /api/query/sql. Attackers can also inject stored XSS payloads into user notes, leading to persistent client-side code execution within the SiYuan application and potential session hijacking or further data compromise. Configuration tampering is possible via /api/system/setConf, which could be used to establish persistence or degrade the application's security. This vulnerability represents a significant supply chain risk, as a single compromised popular browser extension could silently affect a wide user base of SiYuan desktop users.

Recommendation

  • Patch CVE-2026-54069 by upgrading SiYuan Note to a version beyond v3.6.5 that contains the fix for the blanket chrome-extension:// allowlist.
  • Implement host-based intrusion detection system (HIDS) rules to alert on suspicious network connections originating from browser processes (e.g., chrome.exe, msedge.exe) to 127.0.0.1 on port 6806, as detailed in the Sigma rule below.
  • Review web server or proxy logs (if applicable and configured to intercept loopback traffic) for HTTP POST requests to /api/query/sql, /api/block/insertBlock, or /api/system/setConf on 127.0.0.1:6806 with Origin headers starting with chrome-extension://.
  • Monitor for unusual activity related to the SiYuan application, such as unexpected file modifications or API calls, which may indicate configuration tampering or data exfiltration.

Detection coverage 1

Detect SiYuan Kernel Admin API Access from Browser Process

medium

Detects network connections from browser processes to the SiYuan kernel's local HTTP API port (6806). This may indicate attempted exploitation of CVE-2026-54069 by a malicious browser extension.

sigma tactics: exfiltration, privilege_escalation techniques: T1005, T1068 sources: network_connection, windows

Detection queries are available on the platform. Get full rules →

Indicators of compromise

1

domain

TypeValue
domainattacker.example